Response to the Home Office's Regulation of Investigatory Powers Act Consultation: Acquisition and Disclosure of Communications Data and Retention of Communications Data Codes of Practice
Regulation of Investigatory Powers Act Consultation: Acquisition and Disclosure of Communications Data and Retention of Communications Data Codes of Practice
I. New Retention of Communications Data Code of Practice
General – unlawfulness of the parent legislation
Specific provisions in the Code of Practice
“27 Those data, taken as a whole, may allow very precise conclusions to be drawn concerning the private lives of the persons whose data has been retained, such as the habits of everyday life, permanent or temporary places of residence, daily or other movements, the activities carried out, the social relationships of those persons and the social environments frequented by them.”
“In meeting the European Court Judgment’s opinions where possible, the new legislation (in the form of primary legislation and supporting regulations) will go further in safeguarding human rights. These additional safeguards will include: … Amending the set period for which data is retained, from 12 months to a maximum of 12 months (allowing for shorter periods if there is lesser need).”
II. Updated Acquisition and Disclosure of Communications Data Code of Practice
Response to the list of key changes
16. The Code of Practice provides for designated persons to be independent from operations for authorisations related to those operations. This is a minor improvement on the current position, but it does not go anywhere near far enough to ensure that the decision-maker is sufficiently independent. Judicial authorisation of all requests would ensure decisions regarding access to data are taken by an individual who is genuinely independent. The fact that it was necessary to make this change demonstrates the extreme lack of independent decision-making at present.
17. The giving of additional consideration by law enforcement and the recording of applications would not constitute adequate safeguards for privileged or confidential information. This change amounts to little more than record keeping. Judicial authorisation of requests for communications data would be a far more effective safeguard. Judicial authorisation should apply not only to requests relating to journalists or lawyers, but to all requests for communications data (as well as the interception of content). As discussed above, a requirement of judicial authorisation would provide genuinely independent decision-making.
18. Whilst the accessing of lawyers’ privileged communications and journalists’ source-revealing communications is particularly concerning, providing additional protection for these groups alone will not rectify the fundamental deficiencies in RIPA and DRIPA. Comprehensive reform is required. RIPA and DRIPA must be repealed and replaced by new comprehensive surveillance legislation that contains rigorous oversight mechanisms. RIPA is outdated, opaque and does not provide sufficient protection for communications data (as well as allowing mass interception of content to occur). As discussed above (see paragraphs 1 – 4), DRIPA is unlikely to be compliant with EU law or the European Convention on Human Rights.
19. Everyone, not only journalists, are entitled to a communications data retention and access regime that is compliant with human rights and in particular the right to privacy. As discussed above,analysis of communications data alone can create a complex picture of an individual’s life. Communications data should therefore be afforded the same protection as the content of communications. It should be subject to the same authorisation regime, which should be judicial authorisation. The CJEU identified the lack of an independent administrative or judicial body making decisions regarding access as one of the factors that rendered the Data Retention Directive in breach of fundamental rights (see paragraph 3 above). Access to communications data should only be allowed where it is strictly necessary and proportionate. A judge is best placed to decide whether this is the case.
20. If journalists are to be singled out for special protection it should be noted that they do not constitute a clear category and anyone publishing information may be considered as a journalist. Journalists are not limited to individuals employed by publications; they include freelance writers, and also include the writers of non-publications such as blogs and of aggregations of information such as those created with Storify and Tumblr. Perpetuating a pre-Internet understanding of "journalism" is itself to disregard rights. Again an independent judge should consider this issue and where the case is difficult to determine the judge should be able to seek advice from suitable independent experts. Similarly, the ICO has established that NGOs can also be covered by the journalistic exception in section 32 Data Protection Act. The type of data being requested is important as well as the identity of the person communicating, for example whether it relates to sources or litigation.
21. The consultation document specifically requests views regarding additional safeguards, such as “a requirement to flag all applications for the communications data of those in professions that handle confidential information (e.g. lawyers and journalists) to the Interception of Communications Commissioner at his next inspection”. The consultation document notes it would particularly welcome views on whether the draft code sufficiently protects freedom of expression. We do not consider that the code is sufficiently protective at present. Whilst we would have no objection to the suggested measure, which would provide a small degree of additional protection, we remain of the view that the only way to provide adequate protection is to require judicial authorisation of all requests for communications data. This is the only way that privacy and freedom of expression will be adequately protected.
22. Paragraph 3.72 states that: Communications data is not subject to any form of professional privilege – the fact a communication took place does not disclose what was discussed, considered or advised. This statement isincorrect. Communications data may attract legal privilege in the form of litigation privilege. It is not necessary for a communication to “disclose what was discussed, considered or advised” for litigation privilege to apply.Litigation privilege can exist in relation to any documents or communications which have been produced for the dominant purpose of obtaining advice in relation to litigation, obtaining or collecting evidence for the litigation, or obtaining information which may assist in obtaining or collecting such evidence.If, in the normal course of litigation, a party requests disclosure of communications data, the request would be refused on the ground of litigation privilege. In this context communications data would include records of a lawyer contacting specific people, for example potential witnesses.
23. Paragraph 3.77 reflects the obligation on local authorities to seek judicial approval from a magistrate or sheriff for all requests for communications data. This requirement should be extended to all public authorities making requests for communications data.
24. Increased transparency on the scale of surveillance is necessary. It is a positive step to require public authorities to keep more detailed records in the interests of transparency. In order to provide real transparency the Interception of Communications Commissioner should publish the data as fully as possible.
25. Paragraph 6.8states that “the Interception of Communications Commissioner will not seek to publish statistical information where it appears to him that doing so would be contrary to the public interest, or would be prejudicial to national security.” This provides too wide a discretion to the Interception of Communications Commissioner to decide not to publish the statistics. Clearer guidance is needed on when the statistics will be published and when they will not.
26. One way of addressing this would be to divide the types of statistics into categories. The first category of statistics would be the most general and top level (such as the number of requests and the numbers approved and rejected as well as types of data requested). This data must always be published and there should be no public interest / national security exception, as such aggregate data would not damage national security and is essential in a democratic society. The second level of statistics would contain more granular information and should be subject to a presumption of publication and the Interception of Communications Commissioner would have to make a case for why they should not be published if he believes they should not be. We consider “public interest” is too vague a justification for not publishing; better reasons would be national security and jeopardizing ongoing investigations. Finally, the third category would be the most granular and specific information, for which the presumption would be reversed so that it would be expected the information would not be published. However, third parties should still have the ability to put forward arguments as to why some of that information could be published in certain circumstances.
27. Aggregate information on the number of surveillance authorisation requests approved and rejected enables citizens to understand the scale of surveillance requests made and what proportion of these are determined to be necessary and proportionate. The published data should contain a disaggregation of the requests by service provider, including the investigation type and purpose.
28. We have no comments on the above listed paragraphs.
Other provisions of the Code of Practice
29. Paragraph 1.5 of the Code of Practice states that Section 4 of DRIPA “clarified that communications data access powers under RIPA are exercisable in respect of those CSPs that provide a service to the United Kingdom from outside of the country.” This provision was not merely a clarification. It was a purported extension of the government’s powers in respect of accessing communications data (as well as interception). It imposes, for the first time in UK legislation, liability on foreign telecommunications operators for failing to comply with a data request (or interception warrant). It sets a dangerous precedent for other states to follow and encourages the development of a complex global web of demands, potentially bypassing Mutual Legal Assistance Treaties. It is unclear whether the provision is compliant with the “in accordance with the law” requirements of the ECHR and the Charter.
 Directive 2006/24/EC
 Digital Rights Ireland, joined cases C-293/12 and C-594/12
 paragraph 59, DRI judgment
 paragraph 58
 paragraph 62
 paragraph 61
 paragraph 68
 Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications)
 See also European Parliament Legal Service opinion https://s3.amazonaws.com/access.3cdn.net/27bd1765fade54d896_l2m6i61fe.pdf
 Paragraph 7.1, Code of Practice
 Paragraph 7.10, Code of Practice
 Para 63, Digital Rights Ireland judgment
 See the demands in the policy paper Reforming Surveillance, by the Don’t Spy on Us coalition, of which Open Rights Group is a member, available at: https://www.dontspyonus.org.uk/assets/files/pdfs/reports/DSOU_Reforming_surveillance.pdf